On 9/27/06, Carlos A. Garcia G. <[EMAIL PROTECTED]> wrote:
;) Sorry ok the problem it is this someone told my boss that the email messages has been readed by someone else this information came from our isp we have a e1 connection its like a t1 connection so with that information they said that the "hacker" redirect the messages before they get to the mail server and after being read it the massage hit the mail server, so the question that if someone can do that its becose this information.
redirecting before it hits the mail server would be probably either at the senders network or at your isp. which *should* be able to defend its network. of course, if the isp is *required* to be comprimised (law enforcement), you would probably want end-to-end encryption. sendmail as well as many pop/imap servers do support ssl/tls. of course, you must trust that your server is not compromised.
now what i think its that it is probably that the hacker its inside my local network but if this was the case how it is that my isp now that i have a hacker inside my network getting a copy of the mails, send the mails to his destination ?
there are a couple of techniques for (maliciously) rerouting traffic, which aren't exactly on topic (start with googling dns poisoning, and arp poisoning, go from there).
ill give more information for the time beign i have just installed the stunnel and activate it for the pop3 and smtp, im thinking in auditing the my mail server and auditing my network, do you know of tools that help to check the information above?
look whether your server "behaves" strangely, e.g. look at the logs, load patterns etc. and look at it from the "outside", boot a cdrom or a ramdisk-kernel and check, whether the binaries are those which you expect. sniff your servers traffic. finding whether a box was compromised ist not trivial, especially if you don't find any evidence. if you can afford to do it, better reinstall from scratch and look where you can tighten up the security. --knitti
